After upgrading FIPS to 16.1, you receive an error: SHA-1 is not approved for signature generation
search cancel

After upgrading FIPS to 16.1, you receive an error: SHA-1 is not approved for signature generation

book

Article ID: 389852

calendar_today

Updated On:

Products

Data Loss Prevention Network Discover

Issue/Introduction

After upgrading your FIPS environment to DLP version 16.1, the login to the Enforce console fails. 

Localhost logs contain the following message:

Cause:
org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: SHA-1 is not approved for signature generationorg.bouncycastle.crypto.fips.FipsUnapprovedOperationError: SHA-1 is not approved for signature generation
    at org.bouncycastle.crypto.fips.Utils.checkDigestAlgorithm(Unknown Source)

Environment

16.1

Cause

SHA-1 is disabled by default in 16.1. 

Resolution

To resolve this, please perform the following steps:

1. On Enforce Server, locate and edit the SymantecDLPManager.conf file:

  • Linux: 
  • /opt/Symantec/DataLossPrevention/EnforceServer/Services
  • Windows
  • C:\Program Files\Symantec\DataLossPrevention\EnforceServer\Services
  • Note: Ensure you take a backup of the SymantecDLPManager.conf file before making any changes.

2. Locate the following setting in the configuration file:

# wrapper.java.additional.31 = -Dorg.bouncycastle.rsa.allow_sha1_sig=true

3. Remove the "# and also the space" at the beginning of the line, it should look like:

wrapper.java.additional.31 = -Dorg.bouncycastle.rsa.allow_sha1_sig=true

4. Save and recycle all services, then attempt to login.  

Powered by Wolken Software